1

Cryptanalysis on Hash Functions

Xiaoyun Wang

10/28/2005

2

Outline

Cryptology and Information Security Hash Functions and Information Security Introduction to Hash Function Application of Hash Function Dedicated Hash Functions Cryptanalysis on Hash Functions Colliding X.509 Certificates The Meaningful Collision Attack for Hash Functions The Second-Preimage Attack for Weak Message and MAC

3

Cryptology and Information Security

Information Security in Computer Network Confidentiality, Integrity, Availability, Validity, Non-repu

diation Cryptology is the key technique in Information Security Confidentiality : Encryption: Public Key or Symmetric Cip

hers Integrity ： Hash Functions Validity, Non-repudiation : Digital signature and Authentic

ation (Based on hash function and hard mathematics problems such as factorization, discrete logarithm etc.

Availability :

4

Hash Function and Information Security

Hash Function is an important technique in Information Security.

Hash function is a fundamental tool in cryptology. 1 Integrity: to guarantee the data integrity in the message

transfer. 2 Legality and no disavowing: to guarantee the security of

digital signatures ( no forgery). 3 Used to design many cryptographic algorithms and

protocols. For example, digital signature , group signature, threshold signature, e-cash, e-vote, bit-commitment, many other

provable-security cryptosystems.

5

Introduction to Hash Function

Hash Function: a compress function Y=H(M) which hash any message with arbitrary length into a fixed length output:

H(M): M {0,1}*{0,1}l One-way property ： Given any Y=H(M), it is infeasibl

e to get any substantial information of M. The ideal strength computations.

Second-Preimage Resistance: Given any message M1 ，it is difficult to find another message M2 such that : H(M1)=H(M2),

Free-Collision: It is difficult to find two different messages(M1, M2) with the same hash value:

　 H(M1)=H(M2) 。 Birthday attack:

l2

22l

l2

6

Application of Hash Function --Hash Function and Signature-1

H(M): hash function S(M): signature algorithm Signing process: Compute the fingerprint (or digest) of message: M H(M) Signing the fingerprint H(M): s=S(H(M)) If the fingerprint of M1 is the same as another different M2

H(M1)=H(M2)

Then M1 and M2 have the same signatures

S(H(M1))=S(H(M2))

H

7

Application of Hash Function --Hash Function and Signature-2

M1=(project application 1+apllication fund100,000$)

Bob has signed both messages M1 and M2 because of S(H(M1)) ＝ S(H(M2))

M2=(project application 2+application fund1000,000$)

H(M1)=H(M2)

M1

S(H(M1))

100,000$ approved

HackerBob(Signer ）

Hacker prepares two application versions for a project in advance

8

Application of Hash Function --Hash Function and Signature-3

(M2, S(H(M2))

Banks=S(H(M2)), No problem! Transfer 1000’000$Hacker

Hacker withdraws 1000,000$ with the forged signature

9

Application of Hash Function --Hash Function and Signature-4

M1=(project application 1+apllication fund 100,000$)M2=(project application 2+application fund 1000,000$)

Signature Forgery:

Attack 1 (Second pre-image attack):

Given M1, forge M2 such that H(M1)=H(M2)

Attack 2 (Collision attack):

Find M1 and M2 such that H(M1)=H(M2)

10

Application of Hash Function --Hash Function and Data Integrity

The time is 9 pm of Saturday.

The time is 9 pm of Sunday.

MessageM

Send the hash value H(M) of M by other way

ComputeH(M´) ，If H(M´)Y,believe M´isn’t the original Message

The time is 9 pm of Sunday.

Hacker

Modified M´

Alice Bob

11

Application of Hash Function --Advance for Provable Security

Shannon and perfect secure: Claude E. Shannon, Communication Theory of Secrecy Systems", 1949. Cryptographic art to cryptographic theory: Perfect secure cryptosystem One way function and public key cryptogarphy: W. Diffie, ME Hellman, New Direction in Cryptograph, 1976. Introduce public key cryptosystem and one way function Theory for psudorandom number gerneration: C. Yao, Theory and application of trapdoor functions, 1982 Psudorandom number gernerator: polynomial undistinguishable Advance for provable security: perfect security computational infeasible polynomial computational

infeasible (polynomial undistinguishable)zero-knowledge proofprovable security knowledge proof (based on hash function)

12

Application of Hash Function --Knowledge Proof Based on Hash Function

Before knowledge proof: Zero-Knowledge ProofKnowledge proof: hash function provides a random oracle: Prover P: Know a secret, for example: y=gx mod p, y: public; x: secretVerifier V: To verify Prover that P knows the secret x, but cannot

get the substantial information about x. H(M): One-way hash function c=H(y*g*t) (**) , t=gsyc

P: computes (c,s) satisfies the equation (**), send (c, s) to Verifier.

V: believe that P knows the secret x if the equation ** holds. c=H(y*g*t*m) (**) , t=gsyc: (c,s,m) is the signature of m.

13

Application of Hash Function --Knowledge Proof Based on Hash Function(Cont.)

Utilizing the knowledge proof based on hash function, many cryptographic algorithm and protocols are constructed:

Signature, group signature, threshold signature,

e-cash, bit commitment etc.

14

Dedicated Hash Functions Before 1990: Hash functions based on block ciphers Since 1990: Dedicated hash functions (constructed directly) Two kinds of dedicated hash functions MDx (Rivest) ： MD4, MD5, HAVAL, RIPEMD, RIPEMD-160. SHAx (NIST) ： SHA-0, SHA-1, SHA-256, 384, 512 Two widely used hash functions in the world: MD5, SHA-1 。

15

Cryptanalysis on Hash Functions ---Earlier Work on MDx

1 1993: Boer and Bosselaers found one message with two different sets of initial values.

2 1996: Dobbertin found a collision attack on MD4 with probability 2-22

(FSE’96).

3 1996: Dobbertin gave a psuodrandom collision example of MD5 which is two messages with another set of initial values (Eucrypt’96: Rump session).

4 2003: Rompay etc: collision attack with probability 2-29 (Asiacrypt’03).

16

Cryptanalysis on Hash Functions --- Wang etc Collision Attacks on MDx

In Crypto’04, Wang announced some collision examples on a series of hash functions.

1 MD5: Finding a collision with probability 2-37 (2004).

2 MD4: Finding a collision with probability 2-2-2-6.

3 RIPEME: Finding a collision with probability of 2-19.

4 HAVEL-128: Finding a collision with probability of 2-7.

17

Cryptanalysis on Hash Functions ---Earlier work on SHA-0

1997: Wang gave an algebraic method attack to find collision with probability 2-58 .

Circulated in China, wrote in Chinese. 1998: Chabaud and Joux found a collision attack

with probability: 2-61. 1998: Improved to about 2-45 by message modifi

cation

18

Cryptanalysis on Hash Functions --- Latest Work on SHA-0 and SHA-1

Joux: A four-block message collision was found by Joux in August which took about 80,000 hours of CPU time equivalent to the complexity 251 (Crypt’04 Rump session and Eurocrypt’05).

Biham and Chen: Found real collisions of SHA-1 up to 40 steps, and estimated that collisions of SHA-1 can be found up to 53-round reduced SHA-1 with complexity 248, where the reduction is to the last 53 rounds of SHA-1. (Crypt’04 Rump session and Eurocrypt’05).

Wang, Yin and Yu (Feb of 2005): Find a collision of SHA-1 with probability 2-69 (Crypto’05).

Wang, Yu and Yin (Feb of 2005 ): Find a collision of SHA-0 with probability 2-39 .

Latest improvement on SHA-1: Xiaoyun Wang , Andrew C. Yao, and Frances Yao, Find a collision of SHA-1 with probability 2-63

.

19

Colliding Valid X.509 Certificates

A. Lenstra, X.Y. Wang, B. Weger http://eprint.iacr.org/2005/067.pdf Constructing a pair of valid X.509 certificates in w

hich the “to be signed parts” is a collision for MD5.

Two certificates are different public keys for an owner.

The issuing Certificates Authority cannot prove the right key possession.

20

Meaningful Collisions for MD5 Stefan Lucks and Magnus Daum (Rump Session in Eurocrypt’05) http://th.informatik.unimannheim.de/people/lucks/HashCollisions/ http://www.cits.rub.de/MD5Collisions/

M1: A Recommendation Letter for Alice from the Boss Caesar

M2: A Order Letter for Alice’s privilege from the Boss Caesar

Two letters have the same hash value because of PS editorial softwareH(M1)=H(M2)

Questions: How many cryptographic applications suffer from the potential attack caused by hash function collisions.

21

The Second-Preimage Attack of Weak Messages

Wang, Lai etc results in Eurocrypt’05:

Any message is a weak message of MD4 with probability 2-122, and for a weak message it only need one-MD4 computation to find its second-preimage.

Any message M can be modified with the basic message modification techniques. The resulting message M0 is a weak m

essage with probability 2-23. M and M0 are close and the Hamming weight of the difference for two messages is 50 on average.

Under the advanced message modification, any message M can be modified into M0 which is a weak message with probability 2-2 to 2-6. However, the Hamming weight of the their difference grows quickly up to 110.

22

The Second-Preimage Attack of Weak Messages

Yu and Wang etc ( Recent work):

Any message is a weak message with probability 2-56 by a new collision differential path (See Table 1 and Table 2) .

By message modifications techniques, any message can be converted into a weak message with 227 MD4 computations, the Hamming weight for their difference is 44

23

Constructing MAC based-MD4

Three basic proposals to construct a MAC based-MD4

Secret prefix: MAC(M)=MD4(K1||M)

Secret suffix: MAC(M)=MD4(M||K2)

Envelope: MAC(M)=MD4(K1||M||K2)

24

Key Recovery from Hash Function Collisions--- Existing Attack for Key Recovery of Envelope Method

Bart Preneel and Paul C.van Oorschat :

It needs 2n/2 known text-MAC pairs and 2k1 offline compression function operations to recovery the key K1,, and 2k2 computations (exhaustive search) for recovery of K2.

Choosing K1 K2 does not offer additional security property. So they suggested

K1=K2.

25

Key Recovery from Hash Functions Collisions--- Effective Key Recovery of Envelope MAC Based on MD4

Wang and Yu (recent work):

Suppose K1=K2=K

Case 1 K is 128-bit.

Case 2 If K is a complete block, we deduce the 128-bit secret IV instead of finding K.

So we suppose K has 128-bit length.

26

Key Recovery from Hash Functions Collisions-- Effective key recovery of envelope MAC based on MD4 (Cont.))

Determine one bit condition b1,26= c1,26 in Table 2 with one computations and 262 MACs of random 384-bit messages M and their corresponding chosen 384-bit messages’ MAC(M’) , where difference is:

(K||M)-(K|| M’)=(0, 0, 0, 0, 222, 0,……, 0) (See Table 1)

Determine other conditions b1,i+4= c1,i+4 by one computation and the same number of MAC pairs with the similar collision differential path determined by the difference:

(K||M)-(K|| M’)=(0, 0, 0, 0, 2i, 0,……, 0) (i22).

Totally determine 32 conditions b1,i+4= c1,i+4 by 268 MAC pairs and 32 computations.

27

28

Key Recovery from Hash Functions Collisions-- Effective key recovery of envelope MAC based on MD4 (Cont.)

It is possible to determine more bit conditions of a1, d1 , c1 and b1 by other collision differential paths.

Provided that we have found s (s32) conditions for a1, d1 , c1 and b1 , we search for other 128-s bits, and then compute 128-bit K.

29

Key Recovery from Hash Functions Collisions -- Effective key recovery of envelope MAC based on MD4 (Cont.)

Conclusion: Determine the secret key K with about 296

computations and 268 MAC pairs with 32 collision differential paths determined by the difference:

(K||M)-(K|| M’)=(0, 0, 0, 0, 2i, 0,……, 0) The above result can be improved to determine the

secret key K with about 296-r computations with

more collision differential paths and more MAC pairs.

30

Thanks!